Exact impersonation isn’t an unsolvable problem: 5 takeaways from our chat with WHO

In a recent podcast we spoke with the CISO of the World Health Organization Flavio Aggio, and our CEO Rahul Powar, about the state of email security at the moment. They talked about changes they’re excited to see in cybersecurity, education around DMARC and their top recommendations to keep your email security posture at its best. In this blog, we’ve highlighted 5 of the key takeaways from this session. You can listen to the full podcast here.

1. Exact email impersonation is a network issue

Over 90% of cyber attacks start with a phishing email. These are becoming more sophisticated by the day, so it’s vital that businesses are gearing up to adopt DMARC. But out of the 47 million domains we’ve analyzed over the past few years, only 1.5% are fully DMARC compliant.

DMARC stands for ‘Domain-Based Message Authentication, Reporting & Conformance’ and is a protocol designed to protect your domain against impersonation. Implemented correctly, your brand is protected, email deliverability rates improve and your employees and colleagues won’t even know it’s there. But without it, your business is left open to a host of threats and dangers which sprout from domain impersonation.

When the COVID pandemic hit in March 2020, implementing DMARC became WHO CISO Flavio Aggio’s number one priority. WHO was a global beacon of guidance in this unprecedented time, and it was vital that they could communicate with media outlets and authorities securely. It’s no secret that cybercriminals prey on emotions to hook people in, and the fear created by a worldwide pandemic provided the perfect breeding ground for their targeted attacks.

By implementing DMARC swiftly, WHO made sure that no one could endanger public health or their reputation by impersonating their domain.

The benefits of DMARC are clear, from blocking email impersonation to protecting your supply chain, improving deliverability and securing your reputation. But we need to start viewing DMARC as a network solution. It’s not just about individual protection, it’s a standard that every organization needs to have to fill the gaps in the global supply chain and email communications.

2. Internet Service Providers could revolutionize the email eco system

Since adopting DMARC, Flavio’s message has been clear: that Internet Service Providers (ISPs) should make email authentication compulsory for all sending sources. If this was the case, the volume of processing these providers currently do would be slashed, and their business models would be revolutionized. But more importantly, the internet would be a safer place for everyone, and cybercriminals would have a much harder time carrying out impersonation attacks.

As Red Sift CEO Rahul Powar put it, ‘impersonation isn’t an unsolvable problem’. But in order to solve this problem, we need to acknowledge that email, without modern authentication standards layered on top, is not suitable for today’s internet.

So, it’s vital that we keep implementing the right protocols and machine-based solutions to suit our ever-evolving landscape. If we don’t, then our infrastructure could develop weaknesses and become more susceptible to sophisticated attacks over time.

3. When it comes to email security, knowledge is power

We’ve found that out of the Fortune 100 and 250 companies in the world, only 35% have fully implemented DMARC. So, a worrying 75% of these high value businesses brimming with customer data, capital and brand reputation, are at risk of domain fraud. Why?

Perhaps because there is a lack of education surrounding DMARC. The more you know about something, the better informed decisions you make. If these companies don’t have visibility of the scale of their problem and what’s going on around them, then there’s no incentive to do anything differently.

Ignorance is far from bliss, as demonstrated by the fallout from sophisticated cyberattacks on high profile organizations since COVID began. Companies worldwide need to be having what Rahul calls the ‘lightbulb moment’. This is when they can see the aggregate reports of where their domain is being fraudulently used, and then confidently take the steps to secure their domain and stop this. Companies who use OnDMARC, Red Sift’s gold standard solution for implementing DMARC, have easy access to all aggregate reports plus advanced forensics too, creating an additional layer of insight into their email landscape.

Even within the IT community, there seems to be some misunderstanding surrounding email impersonation, from exactly what DMARC does to the benefits of implementing it. There is also misinformation that circulates surrounding SEGs and unreliable ‘pseudo DMARC’ quick fixes. But one thing is clear; once organizations do understand the necessity of DMARC, they don’t go back. As Rahul put it, ‘every CISO I know who has worked in at least one organization with DMARC now can’t imagine working anywhere which hasn’t implemented it.’

4. The companies who don’t implement DMARC will bear the load in the future

It’s no secret that cyberattacks are constantly evolving. From the more primitive mass email attacks like the 2000 ILOVEYOU computer worm to the tailored, socially engineered spear phishing episodes we’re seeing now.

Hackers are getting smarter about who and how they target. But as more companies adopt a secure DMARC policy to protect their domains, the businesses who stay in the past will suffer a disproportionate number of attacks in the future. After all, this traffic needs to go somewhere.

5. There’s no silver bullet, but there is the Swiss Cheese Model

What technology can do for cyber and email security today is immeasurable, but as with most things, there’s no silver bullet solution or product which will solve all of the current and future challenges facing our industry. Instead Flavio talked about how we need to adopt a Swiss Cheese Model when it comes to our email and cyber security protection. This Swiss Cheese Model is essentially the practice of adding many layers of defence which each target different issues and overlap to reduce the risk of a single point of failure.

Building from the basics, companies should begin by implementing the widely-accepted protocols (like DMARC, BIMI, 2FA) which they know work and then build upon these based on their needs. Flavio suggests companies should ask two questions during this process:

  • Do we need the technology?
  • Is it worthwhile and will it have a large enough impact?

Once you’ve identified and implemented your additional security layers, these will work in sync to overlap and plug the gaps, ensuring the safest solution for your company’s data, money and reputation.

A final word

Every company has unique needs, and so to make the right choices for your security posture, you need to be asking yourself honestly what risk acceptance you’re willing to take. But with cybercrime and impersonation an ever-growing threat, all businesses are responsible for securing their circle of influence in the email network to a degree. Implementing the standards-based solutions like DMARC, 2 Factor Authentication, BIMI and Encryption is the least every company should be doing to secure the network we’re all a part of.

If we make these solutions robust and build them into the globally-accepted protocol, we can work to fortify our email security network for the future.

Want to start protecting your domain from impersonation and improving your deliverability today? Register for an OnDMARC free trial and get full visibility and control of what’s happening in your email landscape.


Sabrina Evans

26 May. 2021



Recent Posts


The best tools to protect yourself from SubdoMailing

Francesca Rünger-Field

In late February 2024, ‘SubdoMailing’ became a trending search term overnight. Research by Guardio Labs uncovered a massive-scale phishing campaign that had been going on since at least 2022. At the time of reporting, the campaign had sent 5 million emails a day from more than 8,000 compromised domains and 13,000 subdomains with several…

Read more
Product Release

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more

Navigating the “SubdoMailing” attack: How Red Sift proactively identified and remediated a…

Rebecca Warren

In the world of cybersecurity, a new threat has emerged. Known as “SubdoMailing,” this new attack cunningly bypasses some of the safeguards that DMARC sets up to protect email integrity.  In this blog we will focus on how the strategic investments we have made at Red Sift allowed us to discover and protect against…

Read more

Where are we now? One month of Google and Yahoo’s new requirements…

Rebecca Warren

As of March 1, 2024, we are one month into Google and Yahoo’s new requirements for bulk senders. Before these requirements went live, we used Red Sift’s BIMI Radar to understand global readiness, and the picture wasn’t pretty.  At the end of January 2024, one-third of global enterprises were bound to fail the new…

Read more